From owner-freebsd-geom@freebsd.org  Fri Oct 26 23:59:17 2018
Return-Path: <owner-freebsd-geom@freebsd.org>
Delivered-To: freebsd-geom@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3011810CD1EF
 for <freebsd-geom@mailman.ysv.freebsd.org>;
 Fri, 26 Oct 2018 23:59:17 +0000 (UTC) (envelope-from mikey@usa.com)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.201])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "mout.gmx.com", Issuer "GeoTrust RSA CA 2018" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9DC64705DC
 for <freebsd-geom@freebsd.org>; Fri, 26 Oct 2018 23:59:16 +0000 (UTC)
 (envelope-from mikey@usa.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com;
 s=dbd5af2cbaf7; t=1540598346;
 bh=3VQiWoMC73EXJe8Vu/WxJWtB3/wbLUaPxe+0I5v0tGg=;
 h=X-UI-Sender-Class:From:To:Subject:Date;
 b=h1rgHPvQthCZbUBR4/wrgZAeiu0Lfouflsd8K33el6V8zy1oe9QSO+2l0epqGqaAl
 j9UpMzYKrYYJrh2A5b6zJTBuZn0NYadhiKT/wNh8ONRsiD7wfB3E6rY4Kf8s04xuZT
 Gj9loQZl68sWaeSJnQD+qVcl8x26wXERrHAYdDsQ=
X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79
Received: from [81.108.220.86] ([81.108.220.86]) by web-mail.mail.com
 (3c-app-mailcom-lxa01.server.lan [10.76.45.2]) (via HTTP); Sat, 27 Oct 2018
 01:59:06 +0200
MIME-Version: 1.0
Message-ID: <trinity-f447292a-af95-4bf7-966d-f337189b6f6f-1540598346135@3c-app-mailcom-lxa01>
From: "Michael .." <mikey@usa.com>
To: freebsd-geom@freebsd.org
Subject: Re: GELI without passphrase on ZFS root
Content-Type: text/plain; charset=UTF-8
Date: Sat, 27 Oct 2018 01:59:06 +0200
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID: V03:K1:rkuwQ+JNSBvGg7dPIQ1BY/mGp+zJaQcePMkhaQJU0/z5AnSgEr80UScBWXczPhvJhBqEb
 jXmjPAmI5U4nEDVraD2k1iIA+J7EwjGSis4rYZzPfosqB/UZlP77VT38vG+8he0B9rwYkHVfwMmw
 /NHyV8omGbaYg0kbQxojKLGGTQpj9/Fykpupoc906sr0dHe/1c17RbPydVtovSI5xVaTKf/87tfS
 Bg7NAX/CqDUXV4SqFdSIVUfZrwKAIgIibKVBzBxSy2xLR1/Y2vfS53qfhIciDp+INPgTa0DBdzgf
 3A=
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V01:K0:n/24effsyJI=:JipLvxbHAI/ffzflI2mNZu
 C9zcEysElR9Kj8qUs7yzYB5dLEDftKxY3W5ifKvcs6+GuM48Lay68clQ7azidyJCfnbwoc0Z3
 jYVeKPZZ1ryRzb+WBuIFnyGqOeOUNHg+4g/wsQeR662SnUS2FIpyanh1xQNnXqb62mAoAZh7p
 D2Ql8/k3UHPEDx10W3pMUlj0+zdTCpXOptiqkePh9xTF9qETFV7FNtKwdcjMYsjBK4m6/aqTA
 hfbF4mak1F+3BNGtl3DiaGDWcjmlUPAmw2xhQ+JIa8ZU5YENQLk8R2elo/rRynZBcQ4Ybf5bI
 Rci6JmnXWAl+x3nQPXISay+J8x1EVCV6sQgjW3zckRGb9ynkEPCeplH9l7ZJYOnhRghDQbD7h
 T695HrlfSCLXZ87+CAfsJpjg2OqqEsD4gom+Qy/IZmnnzKDBu/0gGzPv1/8FheZDFC7fgjbqQ
 +LuR0evNsoPY/xh5GpcdANLdvN1Mb/M6DLZrmWy0yEBJSjdDMHfM
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GEOM-specific discussions and implementations
 <freebsd-geom.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom/>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2018 23:59:17 -0000

Alaksiej,

You are correct.

I originally tried to configure this on an installation of pfSense (using UEFI+GPT).  The default AutoZFS installer with encryption for this does appear to create an unencrypted /boot/ with an encryption.key keyfile used along with passphrase.  I tried to set the userkey using just the keyfile to remove the use of passphrase.  I can reset a userkey using both passphrase and keyfile (located in /boot) and the system will boot successfully.  I think this proves /boot is accessible unencrypted for reading the keyfile.

loader.conf is (by default):

geli_ada0p4_keyfile0_load="YES"
geli_ada0p4_keyfile0_type="ada0p4:geli_keyfile0"
geli_ada0p4_keyfile0_name="/boot/encryption.key"
aesni_load="YES"
geom_eli_load="YES"
kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
kern.ipc.nmbjumbo9="524288"
vfs.root.mountfrom="zfs:zroot/ROOT/default"
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
zpool_cache_load="YES"
zpool_cache_type="/boot/zfs/zpool.cache"
zpool_cache_name="/boot/zfs/zpool.cache"
geom_eli_passphrase_prompt="YES"
zfs_load="YES"
autoboot_delay="3"
hw.usb.no_pf="1"

Using geli configure -B /dev/ada0p4 as you suggested results in:

     Mounting from zfs:zroot/ROOT/default failed with error 2

     Loader variables:
          vfs.root.mountfrom=zfs:zroot/ROOT/default

When I couldn't get it working, I switched to a virtual machine running straight FreeBSD 11.2 (albeit BIOS+GPT).  I realised this evening that the default disk partitioning is not the same - and a keyfile is not used by default when selecting encryption under AutoZFS installer option - just a passphrase.  I guess the installer is customised for pfsense.

Regards,

Michael.